Question 7 - Fortinet FCP_FSM_AN-7.2 Real Exam Questions [Jan 2026 Update]

Q: 7

Refer to the exhibit. As shown in the exhibit, why are some of the fields highlighted in red?

Options

Correct Answer:

Explanation

In FortiSIEM, the query builder highlights certain attributes in red when they are used in a GROUP BY clause to warn the user about potential performance issues. These attributes, such as Source IP, Destination IP, and User, are considered to have "high cardinality," meaning they can have a very large number of unique values. Grouping by such attributes can result in a massive, slow-running query that consumes significant system resources and may produce an unmanageably large report. The red highlight serves as a visual caution to the administrator to reconsider the query structure, perhaps by using filters instead of grouping on these specific fields.

Why Incorrect

B. The attribute COUNT(Matched Events) is an invalid expression.

COUNT(Matched Events) is a standard and valid aggregate function used in FortiSIEM analytics to count the number of events within each group.

C. No RAW Event Log attribute information is available.

The attributes are available for selection in the query builder, which means their information exists. The issue is not their availability but their suitability for a GROUP BY operation.

D. The Event Receive Time attribute is not available for logs.

Event Receive Time is a fundamental, mandatory attribute for every log and is shown in the GROUP BY clause without being highlighted, confirming its validity for use.

References

1. Fortinet FortiSIEM 7.0.0 Administration Guide

Page 238

"Rules for Constructing a Query": "Some attributes have a very high cardinality

meaning that they can take on a large number of unique values... FortiSIEM will highlight these attributes in red if you try to use them in a GROUP BY clause. This is to warn you that your query may run very slowly and produce a large number of results."

2. Fortinet FortiSIEM 7.0.0 User Guide

Page 111

"Building a Query in the Analytics Tab": "Some attributes

such as Source IP

have a very high cardinality... If you try to use one of these attributes in a GROUP BY clause

FortiSIEM will highlight it in red to warn you that this may result in a very large and slow-running query."

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE